Solved

active directory - allow users to login to OWA and Sharepoint site only, not interactive on desktop PC

Posted on 2014-12-09
3
640 Views
Last Modified: 2014-12-10
Hi there
So we have a requirement to allow certain users to login to their email via OWA and to a Sharepoint site but they should not be permitted to logon to the network in the office on a PC and therefore no access to shared drives etc.
Is there a way to do this in group policy or another way?
many thanks
0
Comment
Question by:stack888
3 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 40491476
Have you tried setting their "Log on to" in the AD user properties?  I'm not sure that works, though, I seem to recall in the past admins having a problem with this method.  Another possibility would be to create a special global group with restricted rights and then give that group only the necessary rights to log on to the Sharepoint and OWA sites. For Sharepoint, they would also need the necessary NTFS permissions to access any documents or other services and/or storage areas on your network to use the data that is being served through the Sharepoint site.
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40492032
Log on to tab in AD will definitely work

You need to create any fake computer account in AD and you need to edit properties of all required users and add this computer account, so that they can't logon to any other computers locally
In addition to above you need to restrict them on Remote Desktop services profile tab as well
U need to select check box "deny this user to logon to remote desktop session host server

Lastly, the below solution should work \ will work 100%
1st create one security group and add all required users to that group
At domain level create new group policy and in that policy enable deny logon locally and deny logon thru terminal services user rights setting and add above group there
These users will not be able to logon to any servers \ desktops trough RDP \ locally

Test any of above solution prior to deploy full flesh

Mahesh
0
 
LVL 2

Author Closing Comment

by:stack888
ID: 40492361
Mahesh, i ended up using pretty much your solution.
thanks!

This is what i did:

Create a group "Users Denied Interactive Logon", and make the relevant users a member.
Create a Group Policy Object (GPO) linked at the root of the domain called "Deny Interactive Logon"
In the "User Rights Assignment" subnode of the "Local Policies" subnode of the "Security Settings" subnode of the "Windows Settings" subnode of the "Computer Configuration" node I would add "Deny log on locally" permission for "Users Denied Interactive Logon" group.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question